8.5 Authorisation data

The Windows 2000 KDC also adds extra authorisation data in tickets.
It is at this point unclear what triggers it to do this. The format of
this data is only available under a “secret” license from Microsoft,
which prohibits you implementing it.

A simple way of getting hold of the data to be able to understand it
better is described here.

Find the client example on using the SSPI in the SDK documentation.

Change “AuthSamp” in the source code to lowercase.

Build the program.

Add the “authsamp” principal with a known password to the
database. Make sure it has a DES key.

Run ktutil add to add the key for that principal to a
keytab.

Run appl/test/nt_gss_server -p 2000 -s authsamp
--dump-auth=file where file is an appropriate file.

It should authenticate and dump for you the authorisation data in
the file.

The tool lib/asn1/asn1_print is somewhat useful for
analysing the data.